'Gray' Areas In Data Protection: A Tale Of Ignorance And Interpretation

Thomas Gray is commonly quoted today for the above lines. And yet, how often do we only quote "ignorance is bliss", while being ignorant of his actual context? Selective reading of this kind can often give rise to a different interpretation. But poetry thrives on interpretations, and differing theories are often given while interpreting the same piece of literature. Like poetry, law, too, by its nature is subject to frequent interpretation. But unlike poetry, law cannot afford to have multiple interpretations. One of our most vital modern laws is prone to just that, and worse, and it is a big cause of concern. Unless, of course, we have selectively read Gray's lines!

Unlike poetry, law cannot afford to have multiple interpretations. One of our most vital modern laws is prone to just that...

This is a tale of ignorance: that of our lawmakers towards our laws, our data and us. It is also a tale of our own ignorance of the implications of this. The laws in this tale are those relating to our data protection. The underlying theme of this tale is Gray and his (mis)quoted lines, and full poetic liberty has been taken to (mis)use it wherever (in)appropriate.

Ignorance of (drafting of) law

As a legal principle, ignorance of law is no excuse. In other words, the law is that you cannot ignore the law. Data protection laws -- or the laws which protect our data stored electronically from being misused by others during our day-to-day activities such as filling of forms, sharing photos or simply visiting a website -- mainly comprise the Information Technology Act, 2000 and the Sensitive Personal Data Rules, 2011. The resultant problem here is that you can neither follow the law and attain compliance (as the legal principle wants), nor ignore it and attain bliss (as a (mis)quoted Gray wants). The reason, simply, is ignorant drafting.

Unintended Consequences

A literal interpretation of the rules means that if a company or its representative collects, receives or even handles any "information" (whether electronically or not), it needs to provide a privacy policy to the provider of such information. The privacy policy, by the way, is required to provide for practices, policies, etc. for handling "personal" information only. It also needs to inform the provider of information about the purpose of its collection, its intended recipients and the name and address of the agency collecting it. Moreover, prior to its collection, the company or its representative must give an option to the provider to not provide it. Careless use of words has made these provisions overreaching in scope and prone to unintended consequences.

For example, imagine a scenario where you visit a restaurant and a waiter asks you your order. Before you answer, and applying these rules literally, the waiter would, first of all, tell you that you still have an option to not place your order! Ignoring this absurdity, you place the order. This results in the restaurant receiving some information from you. Consequently, you must be prepared to know about their privacy policy, that is, how and why they collect certain kinds of information, how they keep it secure, etc. Not just this, to comply with another provision in the rules, the waiter must also inform you that the information about your order is being collected for preparing your food and billing you for it only; and that only the chef, his support staff and the cashier will receive this information; and that the name of the company owning the restaurant is IFollowTheLaw Pvt Ltd, and their address is 1, Compliance Avenue.

Interestingly, William Davenant's lines above are believed to be one of the inspirations for Gray's own words. And in spite of the totally different context, a person out to eat in a restaurant might agree with Davenant and choose to not know so much! Fortunately, common sense precludes a restaurant from following the letter of this law. Unfortunately, such examples abound of the absurdity this law creates in daily situations.

Much room for interpretation

Around the world, the requirement to provide privacy policy or information about handling of data is for situations where a company collects your "personal" or "sensitive" information. The reasoning is that a situation involving such kinds of information must be handled with greater care, and principles such as informed consent, prior knowledge, necessity of collection, etc. must be followed. A person placing an order for food or shopping in a marketplace (electronically or otherwise), however, does not need a similar degree of caution in his interactions. They can, on the contrary, be a great source of annoyance.

You can neither follow the law and attain compliance... nor ignore it and attain bliss. The reason, simply, is ignorant drafting.

So what do companies do? They cannot ignore the law, but they would rather not follow this one literally. As seen above, common sense itself precludes a company to follow a literal interpretation of these rules. The only option is to utilize tools such as teleological interpretation, harmonious construction, systematic interpretation and suchlike.

No room for ignorance

So there is a law requiring interpretation and there are tools to interpret it -- isn't that how most legal frameworks are anyway? Perhaps they are, but this one is of immense impact and importance, and one of our most vital modern laws. And while the adequacy and contents of the framework are frequently debated, the least the laws could do is to be clear and unambiguous.

Data is the new oil, and the new currency. And with cyber-crime posing constant threats, and the BigData wave fast approaching, we cannot afford to be interpreting the shockingly absurd legal drafting and second guessing the laws. Companies should know what companies should do.

If our path ahead is blocked with any trouble, all the time before we find it out is always pure gain.